Apache Log4j is an open-source component providing logging capabilities in some parts of Model RealTime. Recently a critical security vulnerability CVE-2021-44228 was discovered in it.
To keep your Model RealTime installations secure we have released a version 11.1.2021.46 iFix1, which includes Log4j version 2.15, where the vulnerability was addressed. It is available for download from Flexnet Operations portal.
For version 11.0, Model RealTime 11.0 2021.16 iFix1 has been released. Please note that Eclipse 2019-06 (the version used by Model RealTime 11.0) includes Log4j 1.2.15 which is not impacted by CVE-2021-44228, but could be vulnerable to CVE-2019-17571. The recommendation is to upgrade your installation to Model RealTime 11.1 2021.46 iFix1.
More detailed information about this can be found in this support article. For earlier versions of Model RealTime or in case you have any questions or concerns, please reach out to support.
Last week two new vulnerabilities CVE-2021-45046 and CVE-2021-45105 had been discovered in the Apache Log4j library. To address CVE-2021-45046 Log4j version 2.16 was released first and then to address CVE-2021-45105 version 2.17 was released several days later.
To keep your Model RealTime deployments secure we have released the following versions
Check this support article for details and updates on Model RealTime and Log4j.
And if you are using HCL Common Local License Server read the recommendations here.
Please reach out to support if you have any questions or concerns.